diff --git a/configs/sputnik/nginx.nix b/configs/sputnik/nginx.nix
index e382554..2c8929f 100644
--- a/configs/sputnik/nginx.nix
+++ b/configs/sputnik/nginx.nix
@@ -132,6 +132,33 @@
         };
       };
 
+      "chat.ingolf-wagner.de" = {
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 4443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+            ssl = false;
+          }
+        ];
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = {
+            proxyPass = "http://chat.workhorse.private";
+            proxyWebsockets = true;
+            extraConfig = ''
+              sub_filter "http://chat.ingolf-wagner.de" "https://chat.ingolf-wagner.de";
+              sub_filter "chat.workhorse.private" "chat.ingolf-wagner.de";
+            '';
+          };
+        };
+      };
+
       "nextcloud.ingolf-wagner.de" = {
         listen = [
           {
diff --git a/configs/workhorse/configuration.nix b/configs/workhorse/configuration.nix
index 38699b3..926ba1b 100644
--- a/configs/workhorse/configuration.nix
+++ b/configs/workhorse/configuration.nix
@@ -25,7 +25,7 @@
     ./weechat.nix
     ./wetten.nix
     ./nextcloud.nix
-
+    ./mattermost.nix
   ];
 
   networking.hostName = "workhorse";
diff --git a/configs/workhorse/graylog.nix b/configs/workhorse/graylog.nix
index 2124913..32c9113 100644
--- a/configs/workhorse/graylog.nix
+++ b/configs/workhorse/graylog.nix
@@ -47,6 +47,8 @@ in {
   services.graylog.rootPasswordSha2 =
     lib.fileContents <secrets/graylog/root-password-hash>;
 
+  services.graylog.plugins = [ pkgs.graylogPlugins.slack ];
+
   # not working at the moment
   #services.geoip-updater.enable = true;
 
diff --git a/configs/workhorse/mattermost.nix b/configs/workhorse/mattermost.nix
new file mode 100644
index 0000000..cdc407b
--- /dev/null
+++ b/configs/workhorse/mattermost.nix
@@ -0,0 +1,133 @@
+{ pkgs, lib, ... }:
+let
+
+  hostAddress = "192.168.100.20";
+  containerAddress = "192.168.100.21";
+
+in {
+
+  # backup mattermost
+  backup.all.restic.dirs = [ "/home/mattermost" ];
+
+  containers.mattermost = {
+
+    # mount host folders
+    bindMounts = {
+      home = {
+        # make sure this folder exist on the host
+        hostPath = toString "/home/mattermost/home";
+        mountPoint = "/var/lib/mattermost";
+        isReadOnly = false;
+      };
+      db = {
+        # make sure this folder exist on the host
+        hostPath = toString "/home/mattermost/db";
+        mountPoint = "/var/lib/postgresql";
+        isReadOnly = false;
+      };
+    };
+
+    # container network setup
+    # see also nating on host system.
+    privateNetwork = true;
+    hostAddress = hostAddress;
+    localAddress = containerAddress;
+
+    autoStart = true;
+
+    config = { config, pkgs, lib, ... }: {
+
+      imports = [ <modules> <krops-lib> ];
+
+      services.nginx = {
+
+        # Use recommended settings
+        recommendedGzipSettings = lib.mkDefault true;
+        recommendedOptimisation = lib.mkDefault true;
+        recommendedProxySettings = lib.mkDefault true;
+        recommendedTlsSettings = lib.mkDefault true;
+
+        # for graylog logging
+        commonHttpConfig = let
+          access_log_sink = "${hostAddress}:12304";
+          error_log_sink = "${hostAddress}:12305";
+        in ''
+          log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
+            '"facility": "nginx", '
+            '"remote_addr": "$remote_addr", '
+            '"body_bytes_sent": $body_bytes_sent, '
+            '"request_time": $request_time, '
+            '"response_status": $status, '
+            '"request": "$request", '
+            '"request_method": "$request_method", '
+            '"host": "$host",'
+            '"upstream_cache_status": "$upstream_cache_status",'
+            '"upstream_addr": "$upstream_addr",'
+            '"http_x_forwarded_for": "$http_x_forwarded_for",'
+            '"http_referrer": "$http_referer", '
+            '"http_user_agent": "$http_user_agent" }';
+
+          access_log syslog:server=${access_log_sink} graylog2_json;
+          error_log syslog:server=${error_log_sink};
+        '';
+      };
+
+      networking.firewall.allowedTCPPorts = [ 8065 6667 ];
+      networking.firewall.allowedUDPPorts = [ 8065 ];
+
+      # setup matter most
+      services.mattermost = {
+        enable = true;
+        siteUrl = "https://chat.ingolf-wagner.de";
+        localDatabaseName = "chat";
+        localDatabaseUser = "chatty";
+        listenAddress = ":8065";
+
+        matterircd = {
+          enable = true;
+          parameters = [
+            "-mmserver chat.ingolf-wagner.de"
+            "-restrict chat.ingolf-wagner.de"
+            "-bind [::]:6667"
+          ];
+        };
+      };
+
+      # send log to host systems graylog (use tinc or wireguard if host is not graylog)
+      services.SystemdJournal2Gelf.enable = true;
+      services.SystemdJournal2Gelf.graylogServer = "${hostAddress}:11201";
+
+    };
+  };
+
+  # give containers internet access
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = [ "ve-mattermost" ];
+  networking.nat.externalInterface = "eth0";
+
+  # don't let networkmanager manger container network
+  networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
+
+  # open ports for logging
+  networking.firewall.interfaces."ve-mattermost".allowedTCPPorts =
+    [ 11201 12304 12305 ];
+  networking.firewall.interfaces."ve-mattermost".allowedUDPPorts =
+    [ 11201 12304 12305 ];
+
+  # host nginx setup
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "chat.workhorse.private" = {
+        serverAliases = [ "chat.ingolf-wagner.de" ];
+        locations."/" = {
+          proxyWebsockets = true;
+          proxyPass = "http://${containerAddress}:8065";
+        };
+      };
+    };
+  };
+
+}
+